Cybersecurity News
Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.
The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.
Jan 28, 2016 | Cybersecurity News, Internet Security News
Ask anyone to name a basic security protection to prevent hackers from gaining access to a device or network, and the use of a secure password would feature pretty high up that list. However, even a tech giant the size of Lenovo can fail to implement secure passwords. Recent Lenovo SHAREit vulnerabilities have been discovered, one of which involves the use of a hard-coded password that ranks as one of the easiest to guess.
Recently, SplashData published a list of the 25 worst passwords of 2015, and the one chosen by Lenovo is listed in position three between “password” and “qwerty.” To all intents and purposes, Lenovo may well not have bothered adding a password at all, such is the degree of security that the password offers. That password has also been hardcoded.
In fact, the company didn’t actually bother with adding a password at all in one of the new SHAREit vulnerabilities.
Four Lenovo SHAREit vulnerabilities have now been patche
Lenovo SHAREit is a free cross-platform file transfer tool that allows the sharing of files across multiple devices, including PCs, tablets and Smartphones. Perhaps unsurprisingly, given Lenovo has been found to be installing irremovable software via Rootkit and shipping its laptops with pre-installed spyware, some security vulnerabilities exist in its SHAREit software.
Four new Lenovo SHAREit vulnerabilities have been discovered showing some shocking security lapses by the Chinese laptop manufacturer. If the Lenoto SHAREit vulnerabilities are exploited, they could result in leaked information, integrity corruption, and security protocol bypasses, and be used for man-in-the-middle attacks.
The hardcoding of the password 12345678, listed as CVE-2016-1491 by Core Security, is shocking. Configure Lenovo ShareIt for Windows to receive files, and 12345678 is set as the password for a Wi-Fi hotspot. The password is always the same and any system with a Wi-Fi Network could connect.
According to Core Security, if the Wi-Fi network is on and connected, files can be browsed by performing an HTTP Request to the WebServer launched by Lenovo SHAREit, although they cannot be downloaded. (CVE-2016-1490).
The third vulnerability, named CVE-2016-1489, is the transfer of files in plain text via HTTP without encryption. A hacker could not only view those files but also modify the content.
The fourth SHAREit vulnerability, CVE-2016-1492, concerns SHAREit for Android. When configured to receive files, an open Wi-Fi HotSpot is created and no password is set. If a hacker were to connect, the transferred files could be intercepted.
Core Security did disclose the Lenovo SHAREit vulnerabilities privately in October last year to allow a patch to be developed. Now that the patch has been issued to plug the vulnerabilities, Core Security has published the details.
Jan 27, 2016 | Cybersecurity News, Internet Security News, Network Security
An Irish data security survey conducted in December, 2015., has revealed that a third of Irish companies have suffered a data breach in the past 12 months, highlighting the need for Irish companies to improve their security posture.
ICS Irish data security survey indicates employees are the biggest risk
150 IT security professionals took part in the Irish Computer Society survey with 33% claiming their employer had suffered a data breach in the past 12 months. In 71% of cases, the data breaches occurred as a result of the actions of staff members.
Perhaps unsurprisingly given the number of inadvertent data breaches that had been caused by staff members, 45% of respondents cited employee negligence as being the biggest single data security threat they faced. Protecting networks from errors made by employees is going to be one the biggest security challenges faced by Irish IT professionals in 2016.
Other major security concerns highlighted by respondents included the increasing number of end user devices that are being used to store sensitive data, and the increasing threat of cyberattacks by hackers.
Improving security posture by tackling the issue of employee negligence
Employees are the weakest link in the security chain, but that is unlikely to change unless less technical members of staff are provided with training. It is essential that they are advised of the risk of cyberattacks and what they can personally do to lessen the chance of a data breach occurring. In many cases, some of the most fundamental data security measures are not so much ignored, but are just not understood by some members of staff.
It may be common knowledge for instance, that 123456 does not make a very secure password, that email attachments from strangers should not be opened, and links to funny videos of cats on social media networks might not turn out to be as innocuous as they seem.
Tackling the issue of (dare we say) employee data security stupidity is essential. It is far better to do this before a breach is suffered than afterwards. Proactive steps must be taken to improve understanding of cybersecurity risks, and what employees can do to reduce those risks.
ICS Irish data security survey respondents indicated the best way of improving data protection knowledge is by conducted formal training sessions. 57% of respondents said this was the best approach to deal with data security knowledge gaps.
Fortunately, the level of training being provided to staff is increasing, not only for end users but also data security staff. However, there is clearly still a long way to go. Only 56% of respondents said they had received the right level of training on how to achieve the objectives set up their organizations.
The full findings of the Irish data security survey will be made available at the Association of Data Protection Officers National Data Protection Conference, taking place on January 27/28 in Ballsbridge, Dublin.
Jan 25, 2016 | Cybersecurity News, Network Security
A security vulnerability has been discovered with FortiGuard network firewall appliances that could potentially be exploited by hackers. Should the FortiGuard SSH backdoor be exploited, a hacker would be able to gain full administrative privileges to Fortinet security appliances.
FortiGuard SSH backdoor is an unintentional security vulnerability
The FortiGuard SSH backdoor was not been installed by hackers, but is an unintentional security vulnerability in the FortiOS operating system. The FortiGuard SSH backdoor was discovered this month by a third party security researcher. An exploit for the security vulnerability has already been published, making it imperative that all users of FortiGuard firewall appliances install the latest version of the operating system. All users must ensure that their devices are running on FortiGuard version 5.2 or above.
After the security vulnerability was announced Fortinet started an investigation to determine whether any other devices were affected. A statement released by Fortinet last week indicates that in addition to Fortinet FortiGuard, FortiAnalyzer, FortiCache, and FortiSwitch are also affected and contain the vulnerability.
In order to prevent the backdoor from being exploited users have been advised to upgrade to version 3.0.8 of FortiCache, version 3.3.3 of FortiSwitch, and versions 5.0.12 or 5.2.5 of FortiAnalyzer.
The FortiGuard SSH backdoor is a Secure Shell vulnerability. According to a Fortinet blog post, the security vulnerability has not been created by a malicious insider or outsider, but was an “unintentional consequence” of a feature of the operating system. The aim was to ensure “seamless access from an authorized FortiManager to registered FortiGate devices.” The vulnerability involves an undocumented account which has a hard-coded password.
If it is not possible for users to immediately upgrade to the latest OS, Fortinet advises using a manual get around, which involves disabling SSH access and switching to a web-based management interface until the OS can be upgraded.
Last month a security vulnerability was discovered in the ScreenOS operating system used by Juniper Networks. In that case, the backdoor had been inserted by a malicious insider or outsider. The code would allow a hacker to gain full administrative privileges to NetScreen firewall devices and view encrypted data sent via VPN networks.
Jan 21, 2016 | Cybersecurity News, Network Security
Many companies have responded to the threat of data theft by hackers by using encryption. If hackers do break through the security perimeter and gain access to computers or networks, customer data will not be exposed. However, the same cannot be said of employee data. A new security report suggests employee data theft is rife, and that the personal information of employees is much more likely to be stolen that customer data.
Employee data theft is a real concern – Don’t forget to encrypt ALL sensitive data!
A recent study has shown that when it comes to protecting intellectual property and the personal information of employees, mid-sized companies around the world fail to use the same stringent measures that they apply to customer data.
The Sophos/Vanson Bourne study revealed that 43% of midsized companies – those employing between 100 and 2,000 members of staff – do not regularly encrypt human resources files. Human resources files usually contain sensitive information on employees: names, addresses, contact telephone numbers, dates of birth, emergency contact information, and government IDs such as Social Security numbers. These are exactly the kind of data sought by hackers. These data can easily be used to commit identity theft.
The survey was conducted on respondents from Australia, Canada, Japan, Malaysia, and the United States indicating this is a global problem.
In the United States, where ma high percentage of cyberattacks on midsized companies are taking place, 45% of companies appear not to be encrypting employee data, even though these companies face a high risk of employee data theft. Even financial data is left relatively unprotected. Almost a third of companies in the United States are not encrypting their financial data.
It is not a case of encryption not being implemented at all by midsized companies. In the United States for example, 43% of midsized companies use encryption to some degree, while 44% claim they widely encrypt data. The figures are understandably lower for small organizations, in a large part due to the cost of encryption. 38% of small businesses widely encrypted data. Half of larger organizations used encryption for most data.
Companies are not applying safeguards evenly and are leaving gaping security holes. It is not only the threat of employee data theft that is being underestimated. Many organizations are not encrypting data they send to the cloud. Only 47% claimed to encrypt “some files” sent to the cloud and just 39% encrypt all data sent to the cloud. However, 84% of respondents claimed to be worried about cloud security.
Why is encryption not being universally applied?
The survey probed respondents to find out why data encryption is not being used. Four out of ten organizations claimed this was due to budgetary constraints. Three out of ten said it was because of performance trade-offs and a similar number said it was an issue with how to actually encrypt data. Interestingly almost 20% of respondents claimed that encryption wasn’t actually effective at protecting sensitive data.
There is also a commonly held belief that encryption is complex, or cannot easily be implemented. While this was certainly the case a few years ago when full disk encryption was the only option, this is now no longer the case. Encryption technology has advanced considerably in recent years. Companies should therefore take a fresh look at encryption and take steps to prevent employee data theft and the exposure and theft of their intellectual property.
Hackers steal data for financial gain. Employee data theft should be a concern, as should the theft of intellectual property. These data have considerable value. It is not just customer data that can be used to commit fraud or be sold on the black market.
Jan 15, 2016 | Cybersecurity News, Internet Security News
New Android Smartphone malware has been identified that gets around the security systems used by banks and other financial institutions to keep customers protected. The malware is managing to intercept messages that are sent to customers’ Smartphones used as part of the bank’s two-factor authentication system. However, an update to the Android Smartphone malware means it is now capable of intercepting passcodes on more robust 2FA systems.
Two-factor authentication is not infallible
Two-factor authentication offers enhanced security for bank customers. Rather than relying on a username and a password, and additional factor is used to verify identity. A one-time passcode is sent to a user’s Smartphone and that passcode is then used to authorize a transaction. If the passcode is not entered the transaction cannot be made. The codes are sent to the Smartphone via SMS in most cases, although some banks use an automated voice call to deliver the passcode.
This means that even if a user’s login credentials are obtained by a criminal they cannot be used to authorize a bank transfer unless the attacker has also managed to obtain the Smartphone of the account holder (or other device registered with the bank and used for two-factor authentication.)
While two-factor authentication makes it harder for fraudulent transactions to be made, the system is not infallible. In fact, the account holder’s device does not even need to be stolen in order for a criminal to empty a bank account. If malware can be loaded onto the device that can intercept the SMS text this will allow an attacker in possession of the login credentials to make fraudulent transfers.
Automated voice call passcode delivery intercepted by Android Smartphone malware
SMS messages can be intercepted easily if malware is installed on a device. Because of this, some banks are moving away from SMS passcodes and are now favoring the delivery of codes via an automated voice message. However, the latest android Smartphone malware is capable of obtaining these passcodes as well.
Android.Bankosy malware has been adapted to beat this system of passcode delivery. The malware will simply forward the voice call to the attacker, unbeknown to the victim. This is possible because Android.Bankosy is capable of enabling silent mode on the phone so the user is not aware that a call is being received. If the attacker has the login credentials, a transaction can be initiated. The voice call is redirected to the attacker, and that code is then used to complete the transaction.
Jan 11, 2016 | Cybersecurity News, Internet Security News, Network Security
Hackers have potentially gained access to the data of hundreds of thousands of Time Warner Cable customers. The Time Warner Cable security breach was discovered by the FBI, which tipped off TWC last week. Affected individuals are now in the process of being notified.
320,000 customers potentially affected by Time Warner Cable security breach
The Time Warner Cable security breach was announced on Wednesday last week. Scant information was initially provided to the media about the security breach and how customer data came to be stolen by cybercriminals.
According to a statement released by the company, there has been no indication that the company’s computer systems were compromised in a cyberattack, and customers have only been advised to change their passwords as a precaution. The company advised customers via email as well as direct mail that their email addresses and passwords may have been compromised.
Over the next few days, further information about the Time Warner Cable security breach was released. At first a statement said residential customers were affected across all markets. It later came to light that the data were stolen not from TWC, but from a third party who had access to customer information.
Investigations into the TWC data breach are continuing, but at this present moment it would appear that the Time Warner Cable security breach only affects Roadrunner email accounts (rr.com).
Customers have been directed to resources where they are provided with further information about how to identify a phishing attack. There is a possibility that affected individuals will be contacted via email by the data thieves in an attempt to obtain further information that can be used to commit identity theft or fraud.
However, what will be particularly worrying for the victims is not the possibility that they may be subjected to future phishing campaigns but what confidential information they have in their email accounts. Email accounts may contain highly sensitive information about an individual which, in the wrong hands, could be used to cause considerable harm.
The information in an email account could allow a cybercriminal to build up a highly detailed knowledge of an individual. That information could then be used to conduct a phishing campaign or cyberattack on that individual’s contacts.
Last year, Ping Identity conducted a survey on 1,000 enterprise employees in the United States and discovered that almost two thirds of respondents shared passwords between work and personal accounts. Data in personal email accounts could also potentially be used to conduct phishing campaigns on employees with a view to gaining access to their employer’s computer network.
As a precaution against fraudulent use of any information, all affected customers should change their email password promptly. It would also be a wise move for any individual who has a roadrunner email account to also change their password, even if a breach notice letter or email is not received.
TWC is America’s second largest cable company and serves 16 million customers across 29 states.
Jan 7, 2016 | Cybersecurity News, Internet Security News
On December 31, 2015, the British Broadcasting Company (BBC) suffered a cyberattack which resulted in all of its websites being taken offline for a number of hours. A hacking group operating under the name “New World Hacking” has now claimed responsibility for the BBC DDoS Cyberattack.
BBC DDoS cyberattack conducted to test hacking group’s capabilities
The BBC was chosen not because of some vendetta against the broadcaster, but as a test of the power of the hacking groups servers ahead of planned attacks on ISIS. The hackers behind the BBC DDoS cyberattack did not actually intend on taking down the BBC websites, but it turned out that the servers being used for the attack proved to be “quite strong,” according to one member of the group who came forward.
‘Quite strong’ is something of an understatement. The BBC DDoS cyberattack was the largest ever recorded, with traffic up to 660 Gbps, which corresponds to many tens of thousands of connections. The hackers took down the BBC website using the Bangstresser tool, and used two nodes of attack and “a few extra dedicated servers.” Before the BBC DDoS cyberattack, the largest ever recorded was a 334 Gbps attack on an Asian network operator last year.
Attacks of this size are rare. Few manage more than 100 Gbps and when attacks of this magnitude occur they tend to be fairly short-lived, although while they are being conducted they can cause a substantial amount of damage. Many of the connections will be blocked by network filters, which are capable of identifying spoofed IP addresses, although by no means all. Attacks of this scale are likely to cause a serious amount of damage to enterprise networks.
In this case, the hacktivists were only testing capabilities and the motivation for the attack appears to have been made clear; however not all hackers conduct DDoS attacks to disrupt web services or take down servers. All too often a DDoS attack is conducted as a smokescreen to distract IT staff while the real mission is completed. One part of a network is attacked, while other members of the group attempt to gain access to other parts of the network and install backdoors for subsequent attacks or steal data. This was demonstrated recently by the attack on UK Broadband and mobile phone service provider TalkTalk.
Who are New World Hacking?
New World Hacking is an American group of 12 hackers – 8 men and 4 women – that was formed in 2012. The group has conducted numerous campaigns against terrorist organizations in the past, as well as on other groups and individuals that the hackers deem to be unpleasant or whose views or actions are contrary to the group’s beliefs.
New World Hacking has previously conducted large-scale DDoS attacks and has taken down websites run by members of the Ku Klux Klan, as well as websites depicting child pornography. Other targets include Donald Trump. That attack occurred at the same time as the BBC DDoS cyberattack and resulted in the presidential candidate’s website being taken offline for five hours. The group targeted Trump because of his recent “racist rhetoric.”
The group was also active after the recent Paris terrorist attacks and attempted to identify social media accounts used by ISIS.
The main target of New World Hacking is ISIS. The group is now planning to use its servers for attacks on ISIS websites, and those of ISIS supporters. The group claims to have a list of targets that it plans to attack in the very near future.
A member of the group going by the name of Ownz told the BBC “We realize sometimes what we do is not always the right choice, but without cyber hackers… who is there to fight off online terrorists?” The group aims to unmask ISIS, stop its spread, and end the propaganda.
Jan 6, 2016 | Cybersecurity News
Last month, President Barack Obama put his signature to an Omnibus spending bill of $1.1 trillion which contained the Cybersecurity Information Sharing Act of 2015. The purpose of the act is to encourage the sharing of cybersecurity threat intel. The Obama administration believes this is essential in order for the country to win the war against cybercrime.
Cybersecurity Information Sharing Act of 2015 signed into law
The Cybersecurity Information Sharing Act of 2015 is a compromise bill that was penned after previous attempts to introduce legislation to force private sector companies to share cybersecurity threat intelligence failed to make it past the House and Senate. Instead, the Cybersecurity Information Sharing Act of 2015 facilitates the voluntary sharing of intelligence by removing some of the legal obstacles that have previously got in the way of data sharing.
It has long been possible for private sector companies to share certain cybersecurity information with government organizations; however, many companies have failed to do so out of fear of legal action stemming from accidental antitrust violations and inadvertent violations of the private rights of individuals. There was also concern that some of the information required by the federal government could in fact be used against the organization sharing the information. Regulatory enforcement actions for example.
The Cybersecurity Information Sharing Act of 2015 offers private companies immunity from private and government lawsuits, along with other claims that could potentially result from the sharing of cybersecurity intelligence.
Sharing of cybersecurity intelligence and immunity from lawsuits
The new law allows any person or private group to share cybersecurity information with the federal government. That information includes cyber threat indicators – information that describes the attributes of a threat – and defensive measures. Defensive measures are defined as actions, devices, signatures, techniques, or procedures that “detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”
Before any information is shared with the federal government it must first be stripped of personal information relating to specific individuals or information that would allow specific individuals to be identified.
The Cybersecurity Information Sharing Act of 2015 allows companies to share intel primarily with the Department of Homeland Security, although a host of government agencies such as the Departments of Commerce, Energy, and Justice. The information would also be shared with the Department of Defense, which includes the NSA, as well as the Office of the Director of National Intelligence.
The US Attorney General and Secretary of Homeland Security will prepare and publish guidelines to aid organizations with the identification of information that qualifies as a cyber threat indicator. Assistance will also be provided to help organizations identify the information that must be removed prior to sharing to avoid violating privacy laws.
Seven National Guard Cyberprotection teams will be set up and active by the start of 2020 to help deal with new cybersecurity threats. Those teams will be spread across 23 states and will be capable of rapidly mobilizing soldiers and airmen to assist U.S. Cyber Command.
Jan 5, 2016 | Cybersecurity News, Internet Security News, Social Media
It has been a long time coming, but Facebook has finally taken the decision to stop using Flash for video. The social media site is now using HTML5 for all videos served on the site. Facebook Flash video is no more, but Adobe Flash has not been totally abandoned yet, as it will still be used for Facebook games. Hackers can take some comfort from the fact that Farmville players will still be highly susceptible to attack.
Facebook Flash Video Retired to Improve User Experience
The move away from Facebook Flash video didn’t really require any explaining, although a statement released by Facebook said the move was required “to continue to innovate quickly and at scale, given Facebook’s large size and complex needs.” The move to HTML5 not only makes the social media site more secure, HTML5 improves the user experience. Videos play faster, there are fewer bugs, and HTML allows faster development. The social media network also plans to improve the user experience for the visually impaired using HTML5.
The move appears to have been welcomed by Facebook users. Since changing over to HTML5, users have added more videos, registered more likes, and are spending more time viewing videos.
The End of Adobe Flash is Nigh
Unfortunately, it is not quite so easy for the Internet to be totally rid of Flash. The video platform has been used for so long it is still a major part of the web. However, its 10-year reign is now coming to an end. Google Chrome stopped supporting Flash last year and Amazon also banned the use of Flash for video last year. YouTube made the switch from Adobe Flash to HTML5 and with without Facebook’s 8 billion video views a day no longer being served through Flash, the majority of web videos will now be viewed without Adobe’s platform.
Even Adobe appears to be trying to distance itself from its toxic product, having abandoned the name Flash in recent weeks. The company is attempting to deal with the huge number of zero day vulnerabilities as soon as they are discovered, and is patching them quickly, but it is fighting a losing battle. HTML5 provides everything that Flash offers in terms of functionality, minus the myriad of security holes.
Security Risk from Adobe Flash too High
Flash is well known for being a hackers dream as the software platform contains more holes than a sieve. Early last month a new patch was released to address 78 CVE-classified security vulnerabilities, 75 of which were totally separate. This, it has to be said, is an insane amount of security vulnerabilities to discover and address in a single patch. Adobe was quick to point out that it has not received reports of those vulnerabilities being used in the wild, but this has done little to address security fears about Flash.
The risk of drive-by malware attacks is simply too high with Flash. All it takes is for one malicious Flash based advert to be sneaked onto a site, and any visitor with a Flash browser plugin enabled could be automatically infected.
Even with the 78 vulnerabilities now addressed, Adobe Flash is far from secure. In fact, even the early December mega patch was not enough. Adobe was forced to issue yet another update on December 28 to address a number of new critical security vulnerabilities that had been uncovered. The total number of Flash security vulnerabilities addressed in 2015 is now estimated to be 316.
With YouTube ditching Flash and Facebook Flash video no more, the demise of Adobe Flash has surely been hastened.
Dec 30, 2015 | Cybersecurity News, Internet Security News
The Superfish scandal discovered to affect purchasers of new Lenovo laptops last year showed that ad injection software poses considerable risks to users. Ad injection software risk cannot be easily managed. Even brand new laptops can come installed with software designed to deliver ads to users. Unfortunately, programs such as Superfish can also be used by hackers to conduct man-in-the-middle attacks.
Hackers can potentially exploit security vulnerabilities in ad injection software. In the case of Superfish, the software was pre-installed on Lenovo laptops. In order to serve ads, the software used a self-signed root certificate that generated certificates for secure HTTPS connections. The software substituted existing HTTPS certificates with its own in order to serve ads to users while they browsed the Internet. Unfortunately, if the password for ad injection software is discovered, as was the case with Superfish, HTTPS connections would no longer be secure. Hackers would be able to eavesdrop and steal user data.
Man-in-the-middle (MiTM) techniques are increasing being used to serve adverts while users browse the Internet, but the ad injection software risk of hackers taking advantage is considerable. The software is capable of network layer manipulation, injection by proxy, and can alter DNS settings. These techniques are used to serve adverts, but this is outside the control of the browser and the user. Since these programs can be manipulated and exploited by hackers they also pose a considerable security risk, and one that the user is unable to easily address.
Microsoft takes action to reduce ad injection software risk
The ad injection software risk is considerable, so much so that Microsoft is taking action to tackle the problem. By doing this, Microsoft will hand back choice to the user. The company has updated its criteria for determining what software qualifies as Adware, and has recently announced it will be taking action to reduce risk to users and prevent unwanted behavior by Adware.
Rather than the manufacturer of the equipment or developer of the Adware program dictating the browsing experience for users, Microsoft will be handing back control to the user. Microsoft’s policies now demand that “programs that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.”
Not only will Superfish-style programs be banned by Microsoft, by March 31, 2016 any programs that are detected will be detected and removed.
Dec 29, 2015 | Cybersecurity News, Internet Security News, Web Filtering
With Internet use increasing in schools the UK government has taken the decision to make school web filters mandatory. The government has previously recommended that schools implement web filtering solutions, although many schools have not taken action to curb and monitor Internet use in classrooms. Consequently, children are still able to access adult and other potentially damaging content.
The government is now going to get tougher on schools and will introduce legislation to force primary and secondary schools to filter online content. From September 2016, primary and secondary school children must also be educated about online safety.
How School Web Filters Make the Internet Safer for Kids
The main aim of mandatory school web filters is to prevent them from accessing online pornography at school and other potentially damaging content. The move will make it harder for religious extremists to radicalize children and it is hoped that the implementation of school web filters will help to reduce instances of cyber-bullying.
Some evidence has emerged that shows UK school children who have tried to leave the country, or have travelled to Syria, have been able to access information about Daesh/IS from school computers. Ministers believe that action must be taken to prevent such material from being viewed at school, but to also identify individuals who are attempting to access such material. Greater efforts can then be made to tackle the issue before it is too late. Children must also be educated more about how to stay safe when using social media websites such as Facebook, Twitter, Snapchat, and Instagram.
Proposals were published last week on the introduction of new measures to curb Internet usage in schools, which will include school web filters but also monitoring systems to identify individuals who are attempting to access illegal, dangerous, or inappropriate content. There is also concern that individuals will try to access the same material at home. To tackle that issue, the Department of Education has drafted new guidance for parents to help them keep their children safe at home.
School web filters will prevent all adult content from being accessed from any computer connected to a school network. Websites known to promote IS could also be blocked, along with other potentially harmful content. Children must be allowed Internet access at school as it is now an essential part of their education, but they must only be permitted to use the Internet responsibly. Greater efforts must be made to prevent children from being exploited, radicalized, groomed or recruited by extremists.
The new proposals are to be discussed over the next two months and a consultation will take place, after which the proposals will go to the vote. If adopted, enforcing school web filters will come under the remit of Ofsted.
Sky Implements Automatic Web Filtering to Block Online Pornography
School web filters are only one measure that is required to keep children safe. Protecting minors at home is another matter. Guidance can be given to parents, but that does not mean that all parents will read that information and take action to prevent inappropriate Internet usage at home. Sky Broadband is now planning to do its bit. From 2016, all new customers will be automatically prevented from accessing online pornography at home. New customers will be required to opt in rather than opt out if they want to view pornography. Any content with a rating of 13 years or above will also be automatically blocked until 9pm. At present, new customers are prompted to pick which elements of the Internet will be blocked by Sky web filters when they first access the internet.
Sky will also be backdating this new measure. A statement issued by Sky Broadband indicated this will be applied to all customers who have “joined since November 2013 and have not turned on Sky Broadband Shield”. According to Ofcom, only 30-40 percent of Sky customers have activated its web filter. Other broadband providers are being urged to follow suit. Currently only 6% of BT Broadband customers have implemented parental controls.
Dec 24, 2015 | Cybersecurity News, Internet Security News
EU fines for privacy violations are likely to be issued to companies that fail to implement security measures to prevent their customers’ data from being stolen by cybercriminals. EU fines for privacy violations can be substantial, although the watchdogs that are able to issue them are limited. That is all about to change. The European Union has taken decisive action and will be penalizing companies that do too little to protect their customers.
EU fines for privacy violations apply to any company doing business in EU countries
Last week, negotiators met up in Strasbourg, France, and signed a new deal that will change data protection laws in the EU. It has taken some time for this update to take place, having first been discussed four years ago. There has been much debate about the level to which companies should be held responsible for data breaches, although finally all sides have come to an agreement that better protects consumers, make businesses more responsible, and will not interfere with efforts to bring cybercriminals to justice.
The changes to the law will ensure that more companies are held accountable for their lack of security controls. With the threat of cyberattacks increasing, and a number of major attacks suffered by companies over the past few years, an overhaul of data protection laws in Europe was long overdue.
Current legislation is somewhat patchy, offering limited protection for consumers. Companies in some industries can be fined up to 1 million Euros for privacy violations and the exposure of customer data, while others are allowed to escape without penalties.
The new EU fines for privacy violations will not have a fixed limit. Fines for businesses who are hacked or otherwise expose customer data will be as high as 4% of a company’s global annual sales. The aim of the new law change is to give companies a considerable incentive to invest in cybersecurity protections to keep their customers’ data secure, and improve consumer trust.
The law changes will also require companies doing business in any of the European Union’s 28 member states to disclose data breaches that have exposed consumer data. While privacy groups have welcomed the changes, business groups have not been quite so complimentary.
New EU fines for privacy violations to come into effect in 2018
According to EU Justice Commissioner Vera Jourova, “These new pan-European rules are good for citizens and good for businesses.” She also pointed out in a statement issued after the announcement of the conclusion of the negotiations that consumers and businesses stand to “profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation.”
It will take a further two years for the new laws to come into effect, with the new EU fines for privacy violations expected to start being issued in 2018.
Dec 23, 2015 | Cybersecurity News, Network Security
According to security researchers, the recently discovered Juniper Networks security flaw could have been created by the NSA to spy on Juniper Network customers. Others claim it is the work of a foreign government, although the NSA is still implicated.
Juniper Networks security flaw is a backdoor allowing customers’ information to be decrypted
Juniper Networks has discovered an external third party has inserted code into its software that could be used as a backdoor, potentially allowing hackers to decrypt secure communications and spy on customers’ data.
The networking equipment manufacturer’s corporate virtual private network (VPN) software was discovered to contain rogue code that allowed a security flaw to be exploited for the past three years. The Juniper Networks security flaw could have allowed the internal secure communications of customers to be viewed by hackers. The Juniper Networks security flaw would have allowed all VPN traffic to be monitored.
Juniper Networks security flaw now patched?
According to a statement released by Juniper Networks SVP and chief information officer, Bob Worrall, “Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”
If a customer had communications intercepted they would likely to see a log file entry saying “system” had logged in and had a password authenticated. However, it has been proposed that an individual with the skill to insert the code and exploit the flaw would likely also be able to remove traces of a successful login attempt. Consequently, it is not possible to tell with any degree of certainty whether the Juniper Networks security flaw has actually been exploited.
That said, it would be odd for an individual or group of hackers to go to the trouble and expense of creating a sophisticated backdoor that allows secure communications to be monitored, and then not use it in the three years that it has existed.
A patch has now been released to tackle the issue and all customers have been advised to upgrade the software immediately. Whether the patch actually fixes the security flaw is debatable. Some suggest it does not tackle the vulnerability at all, and certainly does not entirely fix the problem.
Government agencies investigate: NSA implicated
The code insertion is being investigated by the FBI, Department of Homeland Security, and the White House National Security Council has also taken an interest.
Junipers’ clients include the U.S. Defense Department, FBI, Justice Department, and the U.S. Government. The sophisticated nature of the hack, together with the types of customers Juniper has, has led many to believe the code insertion is the work of foreign government-backed hackers.
However, not all security experts agree. Some believe that far from Russia, North Korea, or China being behind the hack, it could actually have come from within. Ralf-Philipp Weinmann, CEO of German security research company Comsecuris, has suggested that this could well be the work of the NSA.
He claims the Juniper Networks security flaw was a re-purposed decryption backdoor that had been inserted by the NSA more than a decade ago, albeit indirectly. The Dual_EC encryption algorithm that the NSA had lobbied to be included in encryption standards after discovering a flaw that could be exploited made the hack to be possible.
While the NSA could have inserted the code, even if it didn’t it could certainly have exploited it and used it to eavesdrop.
While the U.S. government, FBI, and others investigate and attention is focused on who may have been able to gain access to highly confidential U.S. data, it should be noted that the U.S. is not the only country that has many high profile customers using Juniper Networks ScreenOS firewalls. The firewalls are popular in Arab countries and the security flaw could have been used by the United States, Israel, UK, and others to eavesdrop on secret communications of Arab states.
Dec 18, 2015 | Cybersecurity News, Internet Security News, Network Security
A recently published 2015 security study has shown cyberattacks are pervasive and are likely to be suffered by virtually all organizations. However, IT security professionals have been taking proactive steps to reduce end user security risk and have also implemented better cybersecurity solutions to keep networks secure. Consequently, they feel much better able to deal with 2016 security threats.
New 2015 security study indicates 80% of organizations have suffered a security incident this year
Optimism appears to be high and many organizations believe they will be able to prevent security incidents from being suffered in 2016, which is great news. Unfortunately, that does not appear to have been the case this year. According to the Spiceworks study, 80% of respondents suffered a security incident in 2015.
Even though 8 out of ten organizations admitted to being attacked this year, they do feel they will be better able to deal with whatever 2016 has in store. Seven out of ten respondents said they would be better equipped to deal with cybersecurity attacks in 2016.
The reason for the optimism is an increased investment in both cybersecurity solutions and the provision of further training to members of staff. A more security conscious workforce means it will be much easier to prevent security breaches caused by malware infections, phishing attacks, and ransomware.
The study indicated that 51% of companies were attacked by malware this year, while 38% suffered phishing attacks. Ransomware is a cause for concern and threats have been reported extensively in the media, yet only 20% of companies actually suffered a ransomware infection.
Theft of corporate data only suffered by 5% of companies
There have been numerous reports of data breaches being suffered in 2015, and hackers have been able to steal corporate data and tens of millions of consumer records, yet the survey indicates only 5% of respondents actually suffered data theft this year. 12% of companies reported instances of password theft during 2015. That said, it is still a major cause of concern. 37% of respondents said they were still worried about the theft of data and passwords.
End user security risk main cause for concern among IT security professionals?
The study revealed what is keeping IT security professionals awake at night, and for the vast majority it is the threat posed by end users. IT security professionals can invest heavily in security defenses to keep hackers at bay, yet all the effort can be undone by the actions of a single employee. 48% of respondents were concerned about end users installing software on their work devices or the use of unauthorized technology. 80% claimed the biggest data security challenge was reducing end user security risk.
IT security pros also rated devices by the level of risk they posed to network security.
Riskiest network connected devices:
- Laptops: 81%
- Desktops: 73%
- Smartphones: 70%
- Tablets: 63%
- IoT Devices: 50%
Measures have been taken to reduce end user security risk
IT security professionals are well aware that it can be a nightmare preventing end users from doing stupid things that result in their devices and corporate networks being compromised. Fortunately, they have realized there is a very simple and effective proactive step that can be taken to reduce end user security risk. That is to provide staff with security training.
The IT department can implement a wide range of sophisticated defenses to prevent security incidents, but if end users install malware on the network, respond to a phishing campaign, or give their login credentials out to a scammer, it will all be for nothing.
Respondents realized there is no use complaining about the risk that end users pose. Action must be taken to reduce end user security risk. By providing training on current threats and network security risks, the staff can be empowered to take action to keep their network secure.
Training employees to be more security conscious and instructing them how to identify scams and avoid malware is a highly effective strategy for reducing network security risk. The study revealed that 73% of IT security professionals have enforced end user data security policies and regular end user security training is now being provided by 72% of IT security pros.
Dec 16, 2015 | Cybersecurity News, Internet Security News
The latest data breach predictions by IDC analysts do not make for pleasant reading. If the data breach predictions turn out to be true, 1.5 billion individuals will be affected by data breaches in the next 5 years.
Companies being targeted by cybercriminals looking to steal consumer data
U.S. companies are being increasingly targeted by foreign cybercriminals. European businesses are similarly suffering more cyberattacks. In fact, companies all over the world are being attacked by criminals looking to gain access to consumer data. It is now no longer a case of whether a data breach will be suffered. It is now just a case of when a data breach will occur.
Companies must therefore be prepared. They must implement a host of security defenses to prevent cyberattacks from occurring, and need to make it harder for hackers and other cybercriminals to gain access to sensitive data. Failure to take action and implement multi-layered cybersecurity defenses will see a data breach suffered sooner rather than later. A breach response plan must also be devised to limit the damage caused when an attack is successful.
Data breach predictions for the next 5 years
The number of data breaches being suffered by companies all around the world has grown considerably in recent years, and the situation is unlikely to change. Based on the current levels of attacks, and the volume of data now being stolen by cybercriminals, IDC analysts made some bleak data breach predictions this month.
They expect that by the year 2020, a quarter of the world’s population will have had data exposed as a result of cyberattacks. That’s 1.5 billion individuals!
IDC also predicts that consumers will increasingly take action when their data are exposed. In fact, we are already seeing consumers boycott brands that have suffered major cyberattacks. Many consumers who previously shopped at Target for instance, have switched retailers following the massive data breach suffered in 2013.
In the UK, many consumers are switching broadband and mobile phone provider after TalkTalk was hacked by a group of teenagers this year. In the United States, there has been considerable fallout as a result of the massive data breaches suffered by Anthem Inc., and Premera Blue Cross. Customers have switched their health insurance to companies that they believe will take better care of their health data.
Data Breach predictions for healthcare organizations
Many cybercriminals have switched from targeting retailers for credit card data to healthcare providers and insurers for Social Security numbers and health information. The value of health data is much higher than credit card information. Once a credit card has been stolen, consumers rapidly shut down their accounts. Credit card companies are on the lookout for suspicious activity and block cards quickly. Healthcare data and Social Security numbers on the other hand can be used for months or even years before identity theft and fraud are discovered. Cybercriminals can use healthcare data and SSNs to defraud individuals and obtain tens of thousands of dollars before fraud is even detected.
The value of healthcare data, combined with the relatively poor defenses put in place by many healthcare organizations, has seen cybercriminal activity increase. The volume of healthcare data breaches has grown considerably over the past few years. Those data breaches are unlikely to stop in the foreseeable future. IDC’s healthcare data breach predictions for next year are bleak. Its analysts expect one in three Americans to have their healthcare data stolen in 2016.
113 million healthcare patients had their data exposed in 2015
The company’s data breach predictions are unlikely to be far off the mark. According to figures from the United States Department of Health and Human Services’ Office for Civil Rights, the agency charged with policing healthcare organizations, over 154 million healthcare patients and health insurance subscribers have had their healthcare data exposed since data breach reports were made public in 2009.
Almost 113 million of those healthcare records were exposed this year. That’s 73% of the total number of breach victims created in the last 7 years! If anything, IDC’s healthcare data breach predictions are overly conservative!
Dec 14, 2015 | Cybersecurity News, Internet Security News
A Twitter cyberattack has prompted the social media network to issue warnings to some users of the social media site. It would appear that attackers have attempted to gain access to the accounts of a limited number of individuals, but those attacks do not appear to have resulted in a breach of user data.
Twitter cyberattack prompts warnings to be sent to site users
The warnings appear to have only been sent to certain United States based users of the website. The emails warn users that foreign government-backed hackers are targeting the site and are attempting to steal user data. According to the warnings, user account data is not believed to have been obtained and, if it has, only a small amount of personal data would have been revealed.
Twitter has offered some suggestions to any users that have been targeted to allow them to take action to reduce risk. They have been told they can switch to the Tor network to access their accounts, or it was suggested they tweet under a pseudonym.
It would appear that the attackers responsible for the Twitter cyberattack are attempting to get the phone numbers, email addresses, and IP addresses. It is conceivable that the individuals were targeted to allow the hackers to send out tweets from the users’ accounts.
The warning alerted users to a “small group of attackers” who are targeting the site. If another Twitter cyberattack is attempted, the social media site will send out a warning email to advise the affected party or parties of the attempted attack.
Latest Twitter cyberattack appears not to be random
The Twitter cyberattack appears to have targeted specific users of the website. The individuals and companies that the attackers have targeted are security experts or activists. Coldhak, a not-for-profit company dedicated to improving privacy, security, and freedom of speech, was one of the organizations that the hackers attacked.
Twitter is currently conducting a full investigation into the attempted hacking of Twitter accounts. The warning indicates that the social media microblogging platform is being ultra-cautious and is alerting users as a proactive step to prevent a breach of customer data, as well as reducing the potential damage caused by an attack.
Both Facebook and Google have recently sent out warnings to users of their services alerting them to suspicious account activity. Those warnings alerted users to activity by foreign government-backed hacking groups. It would appear that Twitter is taking a leaf out of their books.
This is not the first Twitter cyberattack of course. In February 2013, Twitter reset the passwords of 250,000 users after hackers compromised accounts and gained user names, passwords, and other sensitive data. In 2010, the social media site was attacked and Japanese users of the site were directed to porn websites when attempting to access their Twitter accounts.
Dec 10, 2015 | Cybersecurity News, Internet Security News
According to the latest cybersecurity report from Osterman Research, retail industry cybersecurity risk is being seriously underestimated. There is false confidence in cybersecurity protections, and the risk of consumer and business data being exposed is considerable.
Assessing retail industry cybersecurity risk
The retail industry cybersecurity risk assessment was conducted on 125 large retailers during the month of November. The report indicates that even though security vulnerabilities have been identified, the retail industry is not taking the necessary steps to deal with those risks.
Many security holes remain unplugged. In particular, risks associated with temporary workers are not being dealt with. Retailers bring in temporary workers at busy times such as in the run up to Christmas. However, they are introducing a considerable amount of risk when the do so because they are not monitoring the activity of those workers effectively. Many actually believe they are – which is even more worrying.
Temporary workers are often provided with login credentials which are shared instead of giving each temporary worker a separate login. This eases the administrative burden on the IT department. Why create hundreds of new logins that will only be required for a short period of time? Simply give those workers low level privileges and any risk that is introduced will be minimal. Unfortunately, that may not necessarily be the case.
The study showed that 61% of temporary retail floor workers were using shared logins. It is not known whether this is a short cut taken and the risk is known, or whether retailers are unaware of the dangers that the activity involves. Even temporary workers must be given access to some data assets, yet it is impossible for some retailers to identify assets that each of those workers are accessing.
Furthermore, it is not only temporary workers that are being allowed to share login credentials. 21% of permanent workers are also sharing their login credentials.
Retail industry cybersecurity risk is being seriously underestimated
The research indicates that 62% of retailers believe they know everything their permanent workers are doing, and 50% claimed to know what data their temporary workers are accessing. Worryingly, when asked if their IT departments can identify specific systems that individual permanent employees have accessed, 92% said they could. This is clearly not the case in reality.
The study indicated that 70% of retailers gave access to corporate systems to permanent members of retail floor staff. 7% said that permanent workers had accessed systems they were not supposed to and 3% said temporary workers had done the same.
Those figures may actually be much higher as 14% of respondents didn’t know if their permanent workers had inappropriately accessed data. 26% couldn’t tell if their temporary workers were accessing data they shouldn’t. Given the potential gains to be made from gaining access to retail networks, criminals may even be tempted to take a holiday job simply to access to retail systems.
Security awareness training is also not being provided frequently enough. 60% of respondents only conducted training once or twice a year. If workers are not being kept abreast of the retail industry cybersecurity risk, they will not be able to take action to reduce that risk.
Even with the major data breaches and cyberattacks that have recently been suffered by major U.S. retailers, security vulnerabilities persist. Unfortunately, it would appear that retail IT professionals actually appear to believe they are doing a good job. If the measure of how well retail industry cybersecurity risk is being managed is whether or not a retailer has suffered a major data breach, then the industry is in pretty good shape. Unfortunately for the retail industry, if risk is not effectively managed, data breaches are likely to be suffered sooner rather than later.
Dec 9, 2015 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
Just over a month ago, researchers at Heimdal identified Cryptowall 4.0 ransomware; the latest incarnation of the nasty malware first discovered in September 2014. Since then, the malware has been further developed, with the third version discovered in January 2015.
Now, Cryptowall 4.0 ransomware is threatening consumers and businesses alike. The latest version of the malware is even sneakier and more difficult to detect, and its file encryption goes much further. To make matters worse, Cryptowall 4.0 ransomware has been packed into the Angler exploit kit, making it easier for the vicious malware to be downloaded to devices.
The Angler exploit kit takes advantage of vulnerabilities in browsers, making drive-by downloads possible. Any organization that has not installed the latest browser and plugin updates is at risk of having its files encrypted.
Cryptowall 4.0 ransomware – The malware keeps on evolving to evade detection
Last month, the Cyber Threat Alliance released new figures on the cost of Cryptowall infections. The criminals behind the malware have so far managed to extort $325 million from victims around the world. The latest version of the ransomware will see that extortion will continue. The bad news is, the latest version is likely to result in a much higher rate of infection. The money being ‘requested’ has also increased. Victims are no longer being asked for $300 to unlock their files. They are being urged to pay out $700 to unlock their files and keep their systems protected.
Victims are given less choice with the latest version of the malware. Not only will their files be encrypted, in order to make it harder for victims to restore encrypted files from backups, the latest version also encrypts filenames. The aim is to confuse victims even more. It is, after all, hard to restore files if you don’t know which files need to be restored.
Angler exploit kit used to infect computers with Cryptowall 4.0 ransomware
The Angler exploit kit is particularly nasty. First of all, it is not only Cryptowall 4.0 ransomware that will be installed. Visitors to malicious websites will have a host of malware installed on their computers. The network security threat is therefore considerable.
First of all, victims have to deal with Pony. Pony is installed and gallops around gathering information. It will steal login credentials and transmit the data back to the hacker’s command and control center. Attackers are looking for more than just a $700 ransom. What they are really after is access to content management systems and web servers.
A redirect will result in Angler being dropped, which will identify security vulnerabilities that can be exploited. Angler can incorporate new zero-day vulnerabilities and has been designed to be particularly difficult to detect. Angler will then install Cryptowall 4.0 ransomware.
Greater need to install a powerful web filter to prevent infection
Unfortunately, the use of the Angler exploit kit means end users do not need to download and install Cryptowall 4.0 ransomware manually – or open a malicious email attachment. Drive-by downloads will install the malware automatically if the user visits a website infected with malicious code.
Organizations can spread the news of the latest incarnation of Cryptowall to the workforce, and issue instructions to end users to instruct them to take greater care. However, since casual Internet surfing could result in computers being infected, greater protection is required.
Some end users will take risks and will ignore instructions. It is therefore a wise move to install software solutions to minimize the risk of infection by drive-by downloads. The cost of doing so will be much lower than the cost of dealing with multiple Cryptowall 4.0 ransomware infections.
WebTitan web filtering solutions are an ideal choice. They offer system administrators a host of powerful controls to prevent end users from visiting malicious websites and unwittingly infecting computers and networks. The software offers highly granular controls, allowing individuals or groups to have Internet access controlled. Protection against malware can be vastly improved without impacting critical business processes. WebTitan allows sys admins to block web adverts from being displayed, limit access to social media networks and certain website types, as well as sites known to contain malware and malicious code.
The inclusion of Cryptowall in the Angler exploit kit makes the installation of a web filtering solution less of an option and more of a necessity.
Essential security controls to reduce the risk of a Cryptowall 4.0 infection:
Conduct regular backups of your data – If you are infected, you must be able to restore all your files or you will have to pay the ransom.
Never store usernames and passwords on a computer – These can be read and transmitted to hackers.
Do not open unfamiliar email attachments – Even if an attachment looks safe, unless you are 100% sure of its authenticity, do not download or open it.
Install a spam filtering solution – make sure all email spam is quarantined and not opened.
Keep anti-virus solutions up to date – Virus definitions must be 100% up to date. Ensure that an AV solution is used that will detect Cryptowall 4.0 ransomware.
Install patches as soon as they are released – Your system must be kept up to date. It will be scanned for vulnerabilities that can be exploited.
Dec 4, 2015 | Cybersecurity News, Internet Security News, Web Filtering
The true cost of phishing attacks is difficult to calculate accurately, but the recent Target data breach settlement gives an indication of just how costly phishing attacks can be. The U.S. retailer has recently agreed to pay $39.4 million to resolve class-action claims made by banks and credit unions to recover the costs incurred as a result of the 2013 target data breach.
The claims were made to try to recover some of the cost of re-issuing credit and debit cards to the 40 million or so customers that had their data stolen by hackers. The banks were also required to issue refunds to customers whose credit or debit cards had been fraudulently used after the 2013 Target data breach.
The Target hack was financially motivated. The perpetrators of the crime sold data or fraudulently used credit card information and the personal details of customers. Approximately 110 million customers of Target may have suffered financial losses or had their identities stolen as a result of the 2013 Target data breach.
The settlement will see Mastercard retailers paid $19.11 million, while $20.25 million will be paid to credit unions and banks. This is not the only Target data breach settlement reached this year. The retailer agreed to pay Visa card issuers $67 million in the summer, bringing the total card issuer settlement to $106.4 million; more than the $100 million paid Visa and Mastercard issuers by Heartland Payment Systems Inc. Heartland suffered a massive data breach in 2008 that exposed 100-million+ credit card numbers. The company had to pay out around $140 million in total to resolve the breach.
The True Cost of Phishing Attacks
The settlement could have been considerably higher. Target’s figures suggest that approximately 40 million credit card numbers were stolen by hackers in 2013. The settlement is therefore lower than $1 per credit card number exposed.
In addition to paying $10 million to customers, Target also had to cover the cost of implementing a swathe of additional security measures after the cyberattack to prevent similar attacks from being suffered. One of the most expensive measures was the introduction of microchip-enabled card readers in its nationwide stores.
Then there was the damage to the company’s reputation. Many consumers have stopped using Target and have switched to other retailers. The total cost of the 2013 data breach may not be known for some months or years.
The 2013 Target data breach started with employees responding to phishing emails. Those employees did not even work for Target, at least not directly. The individuals who fell for the phishing scam worked for a contractor: an HVAC company used by the retailer.
Small to Medium Sized Businesses Face a High Risk of Phishing Attacks
Heating, ventilation, and air conditioning subcontractor, Fazio Mechanical Services, was the company hackers used to gain access to Target’s network. Login credentials were stolen from the company that allowed the attackers an easy route into Target’s network.
Organizations often give limited network access to subcontractors to allow them to remotely access IT systems, either to perform maintenance, firmware or software upgrades, monitor performance, or check energy consumption and tweak systems.
If hackers can break through the defenses of the smaller companies, they can steal login credentials that will allow them to gain a foothold that can be used to attack the systems that subcontractors remote into. That is where the big prize is: a database containing hundreds of thousands – or even millions – of confidential records.
Don’t Cover the Cost of Phishing Attacks: Pay for Anti-Phishing Solutions!
Regardless of the size of your organization, it is essential to put protections in place to make it as hard as possible for hackers to penetrate defenses. Phishing is one of the commonest techniques used to steal login credentials, so it is therefore essential that controls are put in place to limit phishing risk.
Anti-phishing measures include anti-spam solutions that block phishing emails from being delivered to inboxes. If malicious attachments are identified and quarantined, less reliance is placed on staff to spot phishing campaigns. Not all attacks come via email. Malicious websites may be visited by employees and malware can be downloaded. Implementing a web filtering solution will help employers to manage phishing risk and prevent these websites from being visited by the staff. Malicious adverts can also be prevented from being displayed to employees. They are increasingly being used by hackers to direct people to phishing sites.
The cost of phishing attacks is considerable, but those attacks can often be blocked. It is much more cost-effective to implement anti-phishing solutions than to cover the cost of phishing attacks when they do occur; and occur they will.
Dec 2, 2015 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
Point of sale malware is not new. Cybercriminals have been using point of sale malware to steal credit card numbers from consumers for many years. Unfortunately for retailers, the threat of POS malware is growing. Highly sophisticated malware is being developed and used to obtain a wealth of information from retailers about their customers. That information is being used to commit identity theft and fraud. POS malware is also being used to obtain corporate data.
Point of Sale Malware – The biggest data security threat for retailers
Retailers are at risk of having point of malware installed throughout the year, but in the run up to Christmas the threat is greatest. It is the busiest time of year for shopping and hackers and other cybercriminals step up efforts to get their malware installed. Hackers are hoping for another big payoff before the year is out, and they are likely to get it.
Over the Thanksgiving weekend, some of the most sophisticated malware ever seen was discovered. In some cases, the point of sale malware had been blocked. Many retailers were not so lucky. Unfortunately, identifying malware once it has been installed can be incredibly difficult, especially with the latest ModPOS malware. It is already responsible for providing millions of credit card numbers to hackers, and has caused millions of dollars of damage. The full extent of the infection is not yet known due to the stealthy nature of this new malware.
ModPOS – The most worrying point of sale malware to be seen to date
The new malware has been named ModPOS – short for Modular Point of Sale malware – and it is particularly dangerous, stealthy, and fiendishly difficult to identify once installed. Security experts have been surprised at the level of sophistication. An incredible amount of skill was required to produce malware as complex as ModPOS. It shows the level that criminals will go in order to obtain data and avoid detection.
The malware has been developed to make it exceptionally difficult to identify, and it has clearly been designed with persistence in mind. Once installed, it can perform a wide range of functions; not only serving as a keylogger and card reader, but also a tool for network reconnaissance. It is not just large U.S. retailers that will be affected. This point of sale malware may be used to infect multiple targets. If protections are not put in place to prevent infection, the potential for damage is considerable.
Security analysts first saw elements of this POS malware three years ago, but it has been subsequently developed further. It is difficult to even estimate the extent of infection due to the nature of the malware. The level of obfuscation is impressive.
It has taken some of the world’s leading cybersecurity analysts a considerable amount of time to identify this point of sale malware, and even longer to reverse engineer it. It is, to put it simply, the most complex and sophisticated point of sale malware ever discovered. iSight Partners’ senior director Steve Ward has been reported as saying it is “POS malware on steroids.” ModPOS is the result of an extraordinary amount of time, money, and development. Every aspect of the malware has been painstakingly developed to avoid detection. Every kernel driver is effectively a rootkit.
Investment by criminals in this malware is unprecedented but, then again, the rewards for that investment are likely to be as well. If a major retailer is infected, and many will be, every one of their customers’ data could potentially be obtained. The potential gains for investors in the development of this malware are likely to be off the chart.
Highly functional malware that reads cards, steals corporate data, and much more
The malware can act as a keylogger, recording all data entered by employees. It will serve as a card scraper and will read the credit and debit card details of every customer who pays via point of sale systems. The malware will simply read the card details from the memory. Even EMV terminals may not offer protection.
Data are exfiltrated to hackers’ command and control centers, but it is not even clear what data are being transmitted. The malware encrypts each transmission twice, with 128 bit and 256-bit encryption. As if that wasn’t enough, the data of each customer require a different security key to decrypt them.
The shell code used is virtually a full program in itself. According to one iSight security expert, the shell code contained approximately 600 different functions. And that is just one piece. There are many more than one in this malware. All of the different modules operate in kernel mode, making them exceptionally difficult to identify. Furthermore, the malware is not being sold via darknet marketplaces. It is being kept secret and used by the criminal gang that paid for its development. The gang behind ModPOS has effectively paid for a license to print money.
The methods being used to distribute this point of sale malware are not known, and there is no fix for the threat actor. At the present time, there is a high risk of infection, and no single defense mechanism that can be employed to prevent an attack. So far, approximately 80 major retailers have been warned to be on high alert.
Reducing the risk of point of sale malware infections
Since the threat actor is not known, retailers and other organizations should be ultra-cautious and supplement their defenses to prevent attacks from being successful. Additional measures to enhance security include:
Conversion to EMV terminals – If data is not encrypted it can be read by the malware. The memory must also be encrypted, not only stored data.
Protect all systems, not just POS – The malware contains many modules, and its full capabilities are not fully known. It is not just credit card details that are at risk. All corporate data must be protected.
Implement email filtering solutions – The malware may be delivered via spam and bulk email. Infected attachments and phishing links may be used. It is essential that robust anti-spam solutions are implemented to prevent infection.
Web filtering is essential – The executable file responsible for installing the malware must not be downloaded to any device. Blocking known malware websites and potentially malicious website adverts will help to reduce the risk of ModPOS attacks.
Instruct staff to be highly vigilant – Regardless of the software systems used to improve security defenses, employees will always be a weak link. Staff should be trained and warned to be ultra-cautious, and instructed how to spot potentially malicious emails, websites, and phishing campaigns.